mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 16:35:02 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
apparmor/profiles/apparmor.d/usr.sbin.dnsmasq

147 lines
4.2 KiB
Text
Raw Normal View History

Attached is an updated dnsmasq profile that fixes the following: - allow net_admin capability for DHCP server - allow net_raw and network inet raw for ICMP pings when used as a DHCP server - allow read and write access to libvirt pid files for dnsmasq See the FAQ in the dnsmasq source for details. This fixes https://launchpad.net/bugs/697239
2011-01-12 11:47:04 -06:00
# ------------------------------------------------------------------
#
# Copyright (C) 2009 John Dong <jdong@ubuntu.com>
# Copyright (C) 2010 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
start on 'local/' mechanism to aid in packaging: - add profiles/local/README - adjust profiles/apparmor.d/{bin,sbin,usr}* to include a file from local/ - adjust profiles/apparmor.d/{bin,sbin,usr}* for for copyright, some whitespace and svn conventions
2010-08-05 14:00:02 -05:00
policy: tag policy with the AppArmor 3.0 abi Tag profiles and abstractions with abi information. Tagging abstractions is not strictly necessary but allows the parser to detect when their is a mismatch and that policy will need an update for abi. We do not currently tag the tunables because variable declarations are not currently affected by abi. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/491 Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Steve Beattie <sbeattie@ubuntu.com>
2020-05-05 00:08:39 -07:00
abi <abi/3.0>,
usr.sbin.dnsmasq: add /srv/tftp
2018-09-30 13:55:44 +03:00
@{TFTP_DIR}=/var/tftp /srv/tftp /srv/tftpboot
Allow dnsmasq's profile to read and write to /var/tftp (configurable)
2011-12-16 12:15:12 -05:00
Change `#include` to `include` in active profiles
2020-06-09 23:30:24 +02:00
include <tunables/global>
profiles: support distributions which merge sbin into bin Closes #8
2018-07-25 14:07:35 -07:00
profile dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) {
Change `#include` to `include` in active profiles
2020-06-09 23:30:24 +02:00
include <abstractions/base>
include <abstractions/dbus>
include <abstractions/nameservice>
pull in Ubuntu updates to profiles/apparmor.d
2009-11-04 14:25:42 -06:00
dnsmasq profile: allow chown capability. dnsmasq on Debian sid now chown's its PID file. Bug-Debian: https://bugs.debian.org/889806 Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-02-07 07:57:55 +00:00
capability chown,
pull in Ubuntu updates to profiles/apparmor.d
2009-11-04 14:25:42 -06:00
capability net_bind_service,
capability setgid,
capability setuid,
capability dac_override,
Attached is an updated dnsmasq profile that fixes the following: - allow net_admin capability for DHCP server - allow net_raw and network inet raw for ICMP pings when used as a DHCP server - allow read and write access to libvirt pid files for dnsmasq See the FAQ in the dnsmasq source for details. This fixes https://launchpad.net/bugs/697239
2011-01-12 11:47:04 -06:00
capability net_admin, # for DHCP server
capability net_raw, # for DHCP server ping checks
network inet raw,
dnsmasq profile needs inet6 raw Add "network inet6 raw," to the dnsmasq profile as counterpart to the IPv4 "network inet raw," References: https://bugzilla.novell.com/show_bug.cgi?id=907870 Acked-by: Steve Beattie <steve@nxnw.org>
2014-12-02 18:46:26 +01:00
network inet6 raw,
pull in Ubuntu updates to profiles/apparmor.d
2009-11-04 14:25:42 -06:00
profiles: support distributions which merge sbin into bin Closes #8
2018-07-25 14:07:35 -07:00
signal (receive) peer=/usr/{bin,sbin}/libvirtd,
dnsmasq: allow peer=libvirtd to support named profile The /usr/sbin/libvirtd profile will get a profile name ("libvirtd"). This patch adjusts the dnsmasq profile to support the named profile in addition to the "old" path-based profile name. References: https://bugzilla.opensuse.org/show_bug.cgi?id=1118952#c3
2019-01-13 17:38:09 +01:00
signal (receive) peer=libvirtd,
profiles: support distributions which merge sbin into bin Closes #8
2018-07-25 14:07:35 -07:00
ptrace (readby) peer=/usr/{bin,sbin}/libvirtd,
dnsmasq: allow peer=libvirtd to support named profile The /usr/sbin/libvirtd profile will get a profile name ("libvirtd"). This patch adjusts the dnsmasq profile to support the named profile in addition to the "old" path-based profile name. References: https://bugzilla.opensuse.org/show_bug.cgi?id=1118952#c3
2019-01-13 17:38:09 +01:00
ptrace (readby) peer=libvirtd,
dnsmasq profile updates for signals and ptrace from libvirtd Acked-By: Jamie Strandboge <jamie@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org>
2014-06-23 15:31:40 -05:00
dnsmasq profile update: allow /dev/tty This patch is based on a SLE12 patch to allow executing the --dhcp-script. We already have most parts of that patch since r2841, except /dev/tty rw which is needed for the shell's stdout and stderr. References: https://bugzilla.opensuse.org/show_bug.cgi?id=940749 (non-public) Acked by Seth Arnold on IRC (with "owner" added)
2015-10-16 21:50:21 +02:00
owner /dev/tty rw,
usr.sbin.dnsmasq: allow reading @{PROC}/@{pid}/fd/ as is needed by dnsmasq 2.81 See http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=48755ebf093543113de96747a7f5f78e0640b333 . Signed-off-by: nl6720 <nl6720@gmail.com>
2020-04-12 12:12:59 +03:00
@{PROC}/@{pid}/fd/ r,
pull in Ubuntu updates to profiles/apparmor.d
2009-11-04 14:25:42 -06:00
/etc/dnsmasq.conf r,
/etc/dnsmasq.d/ r,
/etc/dnsmasq.d/* r,
Allow reading conf snippets from /etc/dnsmasq.d-available Some packages like libvirt-bin and lxc drop conf snippets in /etc/dnsmasq.d-available and make them available through symlinks in /etc/dnsmasq.d created during postinst.
2015-11-09 20:05:25 -05:00
/etc/dnsmasq.d-available/ r,
/etc/dnsmasq.d-available/* r,
From: Jeff Mahoney <jeffm@suse.com> Subject: dnsmasq: Profile fixes References: bnc#666090 bnc#678749 Signed-off-by: Jeff Mahoney <jeffm@suse.com> Updated to match master by Christian Boltz <apparmor@cboltz.de> Updated for systemd (/{,var/},run/ instead of /var/run/) by Christian Boltz <apparmor@cboltz.de> as requested by Steve Beattie With this change: Acked-By: Steve Beattie <sbeattie@ubuntu.com> (final confirmation on IRC in #apparmor)
2011-08-08 23:13:15 +02:00
/etc/ethers r,
dnsmasq profile - NetworkManager integration This is an updated version of the previous dnsmasq profile patch, again from develop7 [at] develop7.info Acked-by: John Johansen <john.johansen@canonical.com>
2014-02-17 22:56:02 +01:00
/etc/NetworkManager/dnsmasq.d/ r,
/etc/NetworkManager/dnsmasq.d/* r,
usr.sbin.dnsmasq: add paths for NetworkManager connection sharing Also add /usr/share/dnsmasq/, DNSSEC trust anchors are kept there.
2018-09-18 12:57:22 +03:00
/etc/NetworkManager/dnsmasq-shared.d/ r,
/etc/NetworkManager/dnsmasq-shared.d/* r,
usr.sbin.dnsmasq: add configuration files created by openresolv See https://roy.marples.name/projects/openresolv/configuration.html#dnsmasq . Signed-off-by: nl6720 <nl6720@gmail.com>
2020-02-20 11:39:10 +02:00
/etc/dnsmasq-conf.conf r,
/etc/dnsmasq-resolv.conf r,
pull in Ubuntu updates to profiles/apparmor.d
2009-11-04 14:25:42 -06:00
profiles: support distributions which merge sbin into bin Closes #8
2018-07-25 14:07:35 -07:00
/usr/{bin,sbin}/dnsmasq mr,
pull in Ubuntu updates to profiles/apparmor.d
2009-11-04 14:25:42 -06:00
dnsmasq: Adjust pattern for log files to comply SELinux i.e. move '*' from beginning to before suffix. Commit 025c7dc6 ("dnsmasq: Add permission to open log files") added pattern, which is not compatible with SELinux. As this pattern has been in SELinux since 2011 (with recent change to accept '.log' suffix + logrotate patterns which are not relevant to AppArmor) IMHO it's better to adjust our profile. Fixes: 025c7dc6 ("dnsmasq: Add permission to open log files") Signed-off-by: Petr Vorel <pvorel@suse.cz>
2018-12-07 23:40:19 +01:00
/var/log/dnsmasq*.log w,
dnsmasq: Add permission to open log files --log-facility option needs to have permission to open files. Use '*' to allow using more files (for using more dnsmasq instances). Signed-off-by: Petr Vorel <pvorel@suse.cz> Signed-off-by: Jamie Strandboge <jamie@canonical.com> Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
2018-10-08 16:44:01 +02:00
dnsmasq: allow reading DNSSEC trust anchors At least on Debian, when DNSSEC validation is enabled, dnsmasq needs to read /usr/share/dnsmasq-base/trust-anchors.conf Bug-Debian: https://bugs.debian.org/934869
2020-05-25 10:42:26 +00:00
/usr/share/dnsmasq{-base,}/ r,
/usr/share/dnsmasq{-base,}/* r,
usr.sbin.dnsmasq: add paths for NetworkManager connection sharing Also add /usr/share/dnsmasq/, DNSSEC trust anchors are kept there.
2018-09-18 12:57:22 +03:00
Use "run" variable in profiles Signed-off-by: nl6720 <nl6720@gmail.com>
2020-02-13 11:02:49 +02:00
@{run}/*dnsmasq*.pid w,
@{run}/dnsmasq-forwarders.conf r,
@{run}/dnsmasq/ r,
@{run}/dnsmasq/* rw,
pull in Ubuntu updates to profiles/apparmor.d
2009-11-04 14:25:42 -06:00
/var/lib/misc/dnsmasq.leases rw, # Required only for DHCP server usage
start on 'local/' mechanism to aid in packaging: - add profiles/local/README - adjust profiles/apparmor.d/{bin,sbin,usr}* to include a file from local/ - adjust profiles/apparmor.d/{bin,sbin,usr}* for for copyright, some whitespace and svn conventions
2010-08-05 14:00:02 -05:00
Change /bin/ paths in profiles to also match on /usr/bin/ oftc_ftw reported on IRC that Arch Linux has a symlink /bin -> /usr/bin. This means we have to update paths for /bin/ in several profiles to also allow /usr/bin/ Acked-by: John Johansen <john.johansen@canonical.com> for trunk and 2.9
2015-10-20 23:12:35 +02:00
/{,usr/}bin/{ba,da,}sh ix, # Required to execute --dhcp-script argument
Fix the dnsmasq profile to allow executing bash to run the --dhcp-script argument. Also fixed /usr/lib -> /usr/{lib,lib64} to get libvirt leasehelper script to run even on x86_64. References: https://bugzilla.opensuse.org/show_bug.cgi?id=911001 Patch by "Cédric Bosdonnat" <cbosdonnat@suse.com> Note: the original patch used {lib,lib64} - I changed it to lib{,64} to match the style we typically use. Acked-by: John Johansen <john.johansen@canonical.com>
2014-12-22 17:56:37 +01:00
Allow dnsmasq read access to IPv6 config The IPv6 Neighbor Discovery protocol (RFC 2461) suggests implementations provide MTU in Router Advertisement (RA) messages. From section 4.2 MTU SHOULD be sent on links that have a variable MTU (as specified in the document that describes how to run IP over the particular link type). MAY be sent on other links. dnsmasq supports this option and should have read access to an interface's MTU. Patch by James Fehlig <jfehlig@suse.com> slightly modified (../conf/**/mtu -> ../conf/*/mtu) Acked-by: Seth Arnold <seth.arnold@canonical.com>
2014-09-06 23:06:46 +02:00
# access to iface mtu needed for Router Advertisement messages in IPv6
# Neighbor Discovery protocol (RFC 2461)
Fix for commit trunk r2657: > Allow dnsmasq read access to IPv6 config The commit did not match this part of the commit message > slightly modified (../conf/**/mtu -> ../conf/*/mtu) which I'm fixing now.
2014-09-08 20:35:31 +02:00
@{PROC}/sys/net/ipv6/conf/*/mtu r,
Allow dnsmasq read access to IPv6 config The IPv6 Neighbor Discovery protocol (RFC 2461) suggests implementations provide MTU in Router Advertisement (RA) messages. From section 4.2 MTU SHOULD be sent on links that have a variable MTU (as specified in the document that describes how to run IP over the particular link type). MAY be sent on other links. dnsmasq supports this option and should have read access to an interface's MTU. Patch by James Fehlig <jfehlig@suse.com> slightly modified (../conf/**/mtu -> ../conf/*/mtu) Acked-by: Seth Arnold <seth.arnold@canonical.com>
2014-09-06 23:06:46 +02:00
dnsmasq's TFTP server provides read-only access.
2011-12-17 12:20:53 -05:00
# for the read-only TFTP server
Allow dnsmasq's profile to read and write to /var/tftp (configurable)
2011-12-16 12:15:12 -05:00
@{TFTP_DIR}/ r,
dnsmasq's TFTP server provides read-only access.
2011-12-17 12:20:53 -05:00
@{TFTP_DIR}/** r,
Allow dnsmasq's profile to read and write to /var/tftp (configurable)
2011-12-16 12:15:12 -05:00
dnsmasq profile: extract confinement of libvirt_leaseshelper into a dedicated sub-profile. ... and add a few mostly innocuous permissions in there, that are not strictly needed for a seemingly functional setup, but the lack thereof triggers denial logs, that could indicate that the software falls back to some degraded operation mode.
2015-08-12 16:25:56 +02:00
# libvirt config and hosts file for dnsmasq
Newer version of libvirt have a lease helper. Update dnsmasq policy for this. Acked-By: Jamie Strandboge <jamie@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
2014-08-20 22:06:15 -05:00
/var/lib/libvirt/dnsmasq/ r,
/var/lib/libvirt/dnsmasq/* r,
fix LP: #815883 - update dnsmasq profile for new libvirt lease file path
2011-07-25 08:28:04 -05:00
Attached is an updated dnsmasq profile that fixes the following: - allow net_admin capability for DHCP server - allow net_raw and network inet raw for ICMP pings when used as a DHCP server - allow read and write access to libvirt pid files for dnsmasq See the FAQ in the dnsmasq source for details. This fixes https://launchpad.net/bugs/697239
2011-01-12 11:47:04 -06:00
# libvirt pid files for dnsmasq
Use "run" variable in profiles Signed-off-by: nl6720 <nl6720@gmail.com>
2020-02-13 11:02:49 +02:00
@{run}/libvirt/network/ r,
@{run}/libvirt/network/*.pid rw,
Attached is an updated dnsmasq profile that fixes the following: - allow net_admin capability for DHCP server - allow net_raw and network inet raw for ICMP pings when used as a DHCP server - allow read and write access to libvirt pid files for dnsmasq See the FAQ in the dnsmasq source for details. This fixes https://launchpad.net/bugs/697239
2011-01-12 11:47:04 -06:00
Newer version of libvirt have a lease helper. Update dnsmasq policy for this. Acked-By: Jamie Strandboge <jamie@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
2014-08-20 22:06:15 -05:00
# libvirt lease helper
dnsmasq profile: extract confinement of libvirt_leaseshelper into a dedicated sub-profile. ... and add a few mostly innocuous permissions in there, that are not strictly needed for a seemingly functional setup, but the lack thereof triggers denial logs, that could indicate that the software falls back to some degraded operation mode.
2015-08-12 16:25:56 +02:00
/usr/lib{,64}/libvirt/libvirt_leaseshelper Cx -> libvirt_leaseshelper,
Invalid path to libvirt_leaseshelper in usr.sbin.dnsmasq The error: type=AVC msg=audit(1585403559.846:34317577): apparmor="DENIED" operation="exec" profile="/usr/sbin/dnsmasq" name="/usr/libexec/libvirt_leaseshelper" pid=7162 comm="sh" requested_mas k="x" denied_mask="x" fsuid=0 ouid=0 type=AVC msg=audit(1585403559.846:34317578): apparmor="DENIED" operation="open" profile="/usr/sbin/dnsmasq" name="/usr/libexec/libvirt_leaseshelper" pid=7162 comm="sh" requested_mas k="r" denied_mask="r" fsuid=0 ouid=0 Looks like the path to libvirt_leasehelper is incorrect usr.sbin.dnsmasq, at least in gentoo. Patching the file fixes the problem: issue: https://gitlab.com/apparmor/apparmor/-/issues/87 Signed-off-by: John Johansen <john.johansen@canonical.com>
2020-03-28 12:42:13 -07:00
/usr/libexec/libvirt_leaseshelper Cx -> libvirt_leaseshelper,
Newer version of libvirt have a lease helper. Update dnsmasq policy for this. Acked-By: Jamie Strandboge <jamie@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
2014-08-20 22:06:15 -05:00
usr.sbin.dnsmasq: add lxc-net paths
2015-03-29 20:49:09 -07:00
# lxc-net pid and lease files
Use "run" variable in profiles Signed-off-by: nl6720 <nl6720@gmail.com>
2020-02-13 11:02:49 +02:00
@{run}/lxc/dnsmasq.pid rw,
usr.sbin.dnsmasq: add lxc-net paths
2015-03-29 20:49:09 -07:00
/var/lib/misc/dnsmasq.*.leases rw,
usr.sbin.dnsmasq: add lxd-bridge rules
2016-04-08 16:23:47 -04:00
# lxd-bridge pid and lease files
Use "run" variable in profiles Signed-off-by: nl6720 <nl6720@gmail.com>
2020-02-13 11:02:49 +02:00
@{run}/lxd-bridge/dnsmasq.pid rw,
usr.sbin.dnsmasq: add lxd-bridge rules
2016-04-08 16:23:47 -04:00
/var/lib/lxd-bridge/dnsmasq.*.leases rw,
dnsmasq profile: more lxd additions Besides dnsmasq.leases, dnsmasq.pid needs to be written. Also read access for some files is needed (currently dnsmasq.raw and dnsmasq.hosts - using dnsmasq.* makes this more future-proof when more files get added) References: https://bugs.launchpad.net/apparmor/+bug/1634199 (again) Acked-by: John Johansen <john.johansen@canonical.com> Bug: https://launchpad.net/bugs/1403468
2016-10-21 13:07:14 +02:00
/var/lib/lxd/networks/*/dnsmasq.* r,
Add new dnsmasq.leases location for lxd to dnsmasq profiles References: https://bugs.launchpad.net/bugs/1634199 Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9.
2016-10-18 13:22:53 +02:00
/var/lib/lxd/networks/*/dnsmasq.leases rw,
dnsmasq profile: more lxd additions Besides dnsmasq.leases, dnsmasq.pid needs to be written. Also read access for some files is needed (currently dnsmasq.raw and dnsmasq.hosts - using dnsmasq.* makes this more future-proof when more files get added) References: https://bugs.launchpad.net/apparmor/+bug/1634199 (again) Acked-by: John Johansen <john.johansen@canonical.com> Bug: https://launchpad.net/bugs/1403468
2016-10-21 13:07:14 +02:00
/var/lib/lxd/networks/*/dnsmasq.pid rw,
usr.sbin.dnsmasq: add lxd-bridge rules
2016-04-08 16:23:47 -04:00
Adjust dnsmasq profile for read access to /{,var/}run/nm-dns-dnsmasq.conf which is needed by NetworkManager integration in Ubuntu. (LP: #917628) Acked-by: Jamie Strandboge <jamie@canonical.com> Acked-By: Steve Beattie <sbeattie@ubuntu.com>
2012-01-18 16:20:43 -06:00
# NetworkManager integration
usr.sbin.dnsmasq: add paths for NetworkManager connection sharing Also add /usr/share/dnsmasq/, DNSSEC trust anchors are kept there.
2018-09-18 12:57:22 +03:00
/var/lib/NetworkManager/dnsmasq-*.leases rw,
Use "run" variable in profiles Signed-off-by: nl6720 <nl6720@gmail.com>
2020-02-13 11:02:49 +02:00
@{run}/nm-dns-dnsmasq.conf r,
@{run}/nm-dnsmasq-*.pid rw,
@{run}/sendsigs.omit.d/*dnsmasq.pid w,
@{run}/NetworkManager/dnsmasq.conf r,
@{run}/NetworkManager/dnsmasq.pid w,
@{run}/NetworkManager/NetworkManager.pid w,
Adjust dnsmasq profile for read access to /{,var/}run/nm-dns-dnsmasq.conf which is needed by NetworkManager integration in Ubuntu. (LP: #917628) Acked-by: Jamie Strandboge <jamie@canonical.com> Acked-By: Steve Beattie <sbeattie@ubuntu.com>
2012-01-18 16:20:43 -06:00
dnsmasq: allow paths for podman dnsname plugin The dnsname plugin in podman needs access to some files in /run/containers/cni/dnsname/*/ This is also documented upstream: https://github.com/containers/dnsname/blob/main/README_PODMAN.md but nobody thought about telling us to just update the profile :-/ Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1190271
2021-09-16 23:05:57 +02:00
# dnsname plugin in podman
@{run}/containers/cni/dnsname/*/dnsmasq.conf r,
@{run}/containers/cni/dnsname/*/addnhosts r,
@{run}/containers/cni/dnsname/*/pidfile rw,
dnsmasq: allow paths for podman dnsname plugin in rootless mode In rootless mode, files needed to access are under /run/user/, so those needs to be defined separately.
2022-08-22 09:52:12 +00:00
owner @{run}/user/*/containers/cni/dnsname/*/dnsmasq.conf r,
owner @{run}/user/*/containers/cni/dnsname/*/addnhosts r,
owner @{run}/user/*/containers/cni/dnsname/*/pidfile rw,
dnsmasq: allow paths for podman dnsname plugin The dnsname plugin in podman needs access to some files in /run/containers/cni/dnsname/*/ This is also documented upstream: https://github.com/containers/dnsname/blob/main/README_PODMAN.md but nobody thought about telling us to just update the profile :-/ Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1190271
2021-09-16 23:05:57 +02:00
Merge profiles: dnsmasq: add Waydroid pid file Waydroid uses LXC and some lxc-net equivalent scripts. Allow that. https://github.com/waydroid/waydroid/blob/b910c891740026aeba2cd6a86f93ca87ef57e3c6/data/scripts/waydroid-net.sh https://web.archive.org/web/20221202141315/https://docs.waydro.id/debugging/known-issues MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/969 Approved-by: Christian Boltz <apparmor@cboltz.de> Merged-by: Christian Boltz <apparmor@cboltz.de> (cherry picked from commit d61ccafcb3d82c261099a681470937bd1af7df57) 977e45c1 profiles: dnsmasq: add Waydroid pid file
2023-01-22 18:11:00 +00:00
# waydroid lxc-net pid file
@{run}/waydroid-lxc/dnsmasq.pid rw,
dnsmasq profile: extract confinement of libvirt_leaseshelper into a dedicated sub-profile. ... and add a few mostly innocuous permissions in there, that are not strictly needed for a seemingly functional setup, but the lack thereof triggers denial logs, that could indicate that the software falls back to some degraded operation mode.
2015-08-12 16:25:56 +02:00
profile libvirt_leaseshelper {
Change `#include` to `include` in active profiles
2020-06-09 23:30:24 +02:00
include <abstractions/base>
dnsmasq profile: extract confinement of libvirt_leaseshelper into a dedicated sub-profile. ... and add a few mostly innocuous permissions in there, that are not strictly needed for a seemingly functional setup, but the lack thereof triggers denial logs, that could indicate that the software falls back to some degraded operation mode.
2015-08-12 16:25:56 +02:00
/etc/libnl-3/classid r,
dnsmasq: Add missing r permissions for libvirt_leaseshelper Note: This was reported for /usr/libexec/libvirt_leaseshelper, but since this is probably unrelated to the path or a path change, this commit also adds r permissions for the previous path. Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1202161
2022-08-08 20:48:12 +02:00
/usr/lib{,64}/libvirt/libvirt_leaseshelper mr,
/usr/libexec/libvirt_leaseshelper mr,
dnsmasq: allow libvirt_leaseshelper "m" permission on itself. Without this, on current Debian unstable, libvirt_leaseshelper crashes when dnsmasq starts it.
2016-11-06 10:48:34 +01:00
dnsmasq profile: extract confinement of libvirt_leaseshelper into a dedicated sub-profile. ... and add a few mostly innocuous permissions in there, that are not strictly needed for a seemingly functional setup, but the lack thereof triggers denial logs, that could indicate that the software falls back to some degraded operation mode.
2015-08-12 16:25:56 +02:00
owner @{PROC}/@{pid}/net/psched r,
owner @{PROC}/@{pid}/status r,
Use @{sys} tunable in profiles and abstractions Commit aa065287909f6a3115bfaf02bee85d323e46b706 made @{sys} tunable available by default. Update profiles and abstractions to actually use @{sys} tunable for better confinement in the future (when @{sys} becomes kernel var). Closes LP#1728551
2018-11-08 20:00:45 +02:00
@{sys}/devices/system/cpu/ r,
Merge Allow reading /sys/devices/system/cpu/possible ... in the dnsmasq//libvirt_leaseshelper profile Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1202849 I propose this patch for 3.0, 3.1 and master. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/917 Approved-by: Georgia Garcia <georgia.garcia@canonical.com> Merged-by: John Johansen <john@jjmx.net> (cherry picked from commit 37f0f774257ad184cf04917308e48682c6944328) ace8e044 Allow reading /sys/devices/system/cpu/possible
2022-10-29 12:50:44 +00:00
@{sys}/devices/system/cpu/possible r,
Use @{sys} tunable in profiles and abstractions Commit aa065287909f6a3115bfaf02bee85d323e46b706 made @{sys} tunable available by default. Update profiles and abstractions to actually use @{sys} tunable for better confinement in the future (when @{sys} becomes kernel var). Closes LP#1728551
2018-11-08 20:00:45 +02:00
@{sys}/devices/system/node/ r,
@{sys}/devices/system/node/*/meminfo r,
dnsmasq profile: extract confinement of libvirt_leaseshelper into a dedicated sub-profile. ... and add a few mostly innocuous permissions in there, that are not strictly needed for a seemingly functional setup, but the lack thereof triggers denial logs, that could indicate that the software falls back to some degraded operation mode.
2015-08-12 16:25:56 +02:00
# libvirt lease and status files for dnsmasq
/var/lib/libvirt/dnsmasq/*.leases rw,
/var/lib/libvirt/dnsmasq/*.status* rw,
Use "run" variable in profiles Signed-off-by: nl6720 <nl6720@gmail.com>
2020-02-13 11:02:49 +02:00
@{run}/leaseshelper.pid rwk,
dnsmasq profile: extract confinement of libvirt_leaseshelper into a dedicated sub-profile. ... and add a few mostly innocuous permissions in there, that are not strictly needed for a seemingly functional setup, but the lack thereof triggers denial logs, that could indicate that the software falls back to some degraded operation mode.
2015-08-12 16:25:56 +02:00
}
start on 'local/' mechanism to aid in packaging: - add profiles/local/README - adjust profiles/apparmor.d/{bin,sbin,usr}* to include a file from local/ - adjust profiles/apparmor.d/{bin,sbin,usr}* for for copyright, some whitespace and svn conventions
2010-08-05 14:00:02 -05:00
# Site-specific additions and overrides. See local/README for details.
switch local includes to "include if exists"
2020-04-28 22:25:27 +02:00
include if exists <local/usr.sbin.dnsmasq>
pull in Ubuntu updates to profiles/apparmor.d
2009-11-04 14:25:42 -06:00
}
Reference in a new issue Copy permalink